Publications | 04/17/2019

Preparing for a potential breach – Tips for creating an Incident Response Plan

Team Contact: John Rondini


As the adage goes, “security is a process, not a product.” And when—not if—your business encounters a data breach a clearly documented incident response plan will help delineate (1) what steps need to be taken during a breach; and (2) the response team that will handle all aspects of the breach.

In designing such a plan, one should consider including the following basic components:

    • How does the plan define a breach?
    • What are the roles, responsibilities, and authorization for anyone involved in handling the breach (i.e., the response team);
    • What tools will be used for managing the breach?
    • What steps need to be taken to address the breach?
    • How will the breach be investigated and communicated?
    • Does the breach require any legal notifications?

Once these basic components are assembled, the plan should be approved by your entire senior management and distributed to all key employees. The plan should also be integrated into everyday operation thereby ensuring a proactive approach to securing your data.

When assigning employees to be part of the security team, one aspect to consider is that the team is your front-line emergency responders. Each team member should be ready to jump into action the moment a potential breach has been identified. Your plan should begin with a leader whose primary responsibility is coordinating with all team members throughout the entire breach process. Whether the team leader is internal or external, the most important aspect is that they are available round-the-clock when a breach occurs.

Next, the plan should outline the employee whose primary responsibility is investigating the breach. The investigator will be tasked with collecting, preserving, and analyzing the data which may have been compromised. The investigator should also be involved in determining the root cause of the breach. Once the root cause has been determined, the investigator should be involved in securing the breach and implementing system and service recovery.

Once the breach has been contained and the compromised data analyzed, your plan should outline the legal and human resource teams that need to be contacted. Legal counsel almost always needs to be involved in assessing whether the breach has triggered the notification requirements codified by local, state, federal, or international law.

For instance, Arizona’s breach notification statute (A.R.S. §18-552) does not require notification if the breach only included an individual’s name. But, if the breach included an individual’s name and driver’s license, that individual would likely need to be notified within 45 days of the breach. As the number of individuals affected by the breach increases, the associated cost of the breach may increase.

Finally, your team should also include a member tasked with documenting each potential breach. This person will work with all other team members and document all team activities, investigations, discovery and recovery steps taken.


A thorough incident response process safeguards your organization from potential harm to your reputation and loss of revenue. According to the Ponemon Institute’s 2017 Cost of Data Breach Study, the average cost of a data breach now averages $3.6 million. But that amount can become significantly higher depending on the severity of the breach. In the case of Home Depot’s breach—which involved more than 65 million customer credit card accounts—the cost of the breach totaled more than $62 million.

It is, therefore, naive to believe that one’s network won’t be breached at some point.  When an emergency occurs, you don’t want to waste time figuring out incident response processes and procedures while precious minutes are ticking away. Having a robust and well thought out incident response plan will mitigate risk and prepare you to handle the breach and reduce the cost associated with the breach.

Keep Reading